Site News  |   Monitor Keywords  |   Monitor Archive  |   Organizer  |   Account Info  |

Network protection via embedded controls

Network protection via embedded controls description/claims

The present disclosure describes a method for protecting networks and in-line devices using embedded controls.

Networks are used to distribute information among computer systems by sending the information in segments such as packets. A packet typically includes a “header” that directs the packet through the network to a destination, and a “payload” that stores a segment of information being sent through the network. At particular locations in the network, the packet header is accessed to identify the packet's destination and determine the path in the network to send the packet. To determine the path, data in the packet's header is compared to data stored at the network location for a potential match. By matching the header data and the locally stored data, an appropriate path is identified and the packet is sent over the path for delivery to its destination.

In general, an in-line device may refer to a specialized server or hardware device which does more than just forward packets as do hubs, switches and standard routers. As such it may require higher processing power per packet and may be capable of handling less than the traffic being handled by the simpler network devices. In-line devices may be used in a variety of different applications such as compression, intrusion prevention, application layer inspection, etc. Due to the relatively high central processing unit (CPU) requirements per packet, these devices may be susceptible to extremely high traffic flows, which may create both intentional and incidental denial of service (DoS) attacks on these devices. Some network devices may employ a number of different techniques in order to control and prioritize traffic.

Features and advantages of the claimed subject matter will be apparent from the following detailed description of embodiments consistent therewith, which description should be considered with reference to the accompanying drawings, wherein:

FIG. 1 is a block diagram showing one exemplary embodiment in accordance with the present disclosure;

FIG. 2 is a block diagram showing another exemplary embodiment in accordance with the present disclosure;

FIGS. 3A and 3B are diagrams showing examples of an IP packet header and the Differentiated Services packet format; and

FIG. 4 is a flowchart showing operations in accordance with another exemplary embodiment of the present disclosure.

Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art.

Generally, this disclosure describes a method for protecting in-line devices while allowing part (or potentially all) of the data packets suspected of infection to be handled by those devices. In some embodiments, resources may be used at the endpoint to mark data packets suspected of infection with a known specific low quality of service (QoS) marking including, but not limited to, that commonly used by the scavenger queue. The embodiments described herein may be configured to allow in-line devices to handle the actual expected traffic and some level of suspected traffic, while avoiding extreme, denial of service (DoS) situations.

FIG. 1 is an exemplary embodiment of a system 100 in accordance with the present disclosure. System 100 may include a series of networks, such as Networks A, B, M, etc. These networks may be personal area networks (PANs), local area networks (LANs), campus area networks (CANs), or metropolitan area networks (MANs). WAN 106 may be a centralized or distributed WAN and may have a wide array of connectivity options such as, but not limited to, leased line, circuit switching, packet switching and cell relay.

System 100 may include a number of endpoint devices 102A-C, which may be controlled by a central management server 104 through a network 106 such as a wide area network (WAN). An “endpoint” as used herein may refer to an individual computer system or device that may act as a network client and may serve as a workstation or personal computing device. An endpoint may be mobile and intermittently connected. Some examples of endpoints may include, but are not limited to, laptops, desktops and personal computing devices such as personal digital assistants (PDAs). An application server may be considered an endpoint when it functions as a network host.

Endpoint devices 102A-C may belong to the same Internet Protocol (IP) network 108 and may all be connected using VLAN switch 110, which may include LAN switches or other devices capable of creating a series of instant networks that contain only the two devices communicating at that particular moment. For example, LAN switches may be capable of inspecting data packets as they are received, determining the source and destination of each packet and forwarding it in an appropriate manner. Switch 110 may also be capable of connecting Ethernet, Token Ring, Fibre Channel or other types of packet switched networks together. System 100 may include switches, hubs (not shown) and/or hub/switch combinations as necessary. Switch 110 may implement QoS mechanisms to ensure that the amount of traffic marked with the selected QoS value forwarded to the in-line device, such as intrusion prevention system (IPS) 112, may not pass a known threshold. This threshold may be selected by an administrator to match the maximum resources the system is willing to utilize for the monitoring and/or processing of suspected traffic. For example, switch 110 may include an IPS connection port, which may provide a communication link to IPS 112 as well as other parts of system 100 further “upstream.”

• Provisional Patent
• Utility Patent

• What Is a Patent?
• What Is a Trademark or Servicemark?
• What Is a Copyright?
• Patent Laws